Extracting prog: 3m18.285961914s
Minimizing prog: 12m10.528450754s
Simplifying prog options: 1m12.612518169s
Extracting C: 33.066837909s
Simplifying C: 2m52.430898256s


extracting reproducer from 21 programs
testing a last program of every proc
single: executing 5 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-socket-setsockopt$packet_tx_ring-setsockopt$packet_tx_ring-sendmmsg-recvmmsg-write$cgroup_freezer_state-openat$cgroup_root-openat$cgroup_procs-write$cgroup_pid-openat$cgroup_root-openat$cgroup_int-write$cgroup_int
detailed listing:
executing program 0:
r0 = socket(0x1e, 0x4, 0x0)
r1 = socket(0x1e, 0x2, 0x0)
setsockopt$packet_tx_ring(r1, 0x10f, 0x87, &(0x7f0000000440)=@req={0x3fc}, 0x10)
setsockopt$packet_tx_ring(r0, 0x10f, 0x87, &(0x7f0000000440)=@req={0x3fc, 0x0, 0x2}, 0x10)
sendmmsg(r0, &(0x7f00000030c0)=[{{0x0, 0xa9cc7003, &(0x7f0000000400)=[{&(0x7f00000000c0)="ee", 0x3514}], 0x1}}], 0x400000000000181, 0x9200000000000000)
recvmmsg(0xffffffffffffffff, &(0x7f0000008840)=[{{0x0, 0x0, &(0x7f0000000280)=[{&(0x7f0000000480)=""/4088, 0xff8}], 0x1}, 0x1}], 0x1, 0x40000001, 0x0)
write$cgroup_freezer_state(0xffffffffffffffff, &(0x7f0000000080)='THAWED\x00', 0x7)
r2 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0)
r3 = openat$cgroup_procs(r2, &(0x7f0000000240)='cgroup.procs\x00', 0x2, 0x0)
write$cgroup_pid(r3, &(0x7f0000000380), 0x12)
r4 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0)
r5 = openat$cgroup_int(r4, &(0x7f0000000040)='cpuset.memory_spread_page\x00', 0x2, 0x0)
write$cgroup_int(r5, &(0x7f0000000180)=0x3, 0x12)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-bpf$MAP_LOOKUP_ELEM-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_IRQCHIP-ioctl$KVM_CREATE_VCPU-syz_usb_connect$uac3-syz_usb_control_io$uac3-mmap$KVM_VCPU-userfaultfd-syz_usb_control_io$uac3-syz_usb_control_io$uac3-ioctl$KVM_SIGNAL_MSI
detailed listing:
executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0)
bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f0000002340)={0xffffffffffffffff, &(0x7f0000002380)="7a1fbe9e57d90e6cd6a2e96c295a29c22b0e69e04c65eb8bf93f2f64ee0cdab276e4154c7a684e896e92045629d98680f6d7d0d571a1080049037caf195b9ed2e971568bd01465f3c33961c91549f25f1387e587fbf6d68b2da726ad313fedacb0ffad785068f81446ac78e9784c8553494afcaf71ce27e8a56e67a2eee9b728cbf90c191d03b8f316bad32e83291881321332b90b0f9900aed37b2879b0faae7e0a28e1e01f45a8b9e59f8783be1c56971cba0985af16bc71cd944367d43d60d6b854297575bcff01d3baa5b6e770efeadbb6", 0x0}, 0x77)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
r2 = syz_usb_connect$uac3(0x3, 0x97, &(0x7f0000000700)=ANY=[@ANYBLOB="12010003000000103d100001400001020301090285000301d8100c080b0102010130020904000000010130000a2401100a00070000000904010000010230000904010101010230000905010920000e00030a2525ffffff7f0c80010904020000010230000904020101010230001724010600800000070002"], &(0x7f0000000540)={0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$uac3(r2, &(0x7f0000000000)={0x14, 0x0, &(0x7f0000000180)={0x0, 0x3, 0x2, @string={0x2}}}, 0x0)
mmap$KVM_VCPU(&(0x7f0000ffb000/0x2000)=nil, 0x930, 0x1000002, 0x4018831, 0xffffffffffffffff, 0x0)
userfaultfd(0x80001)
syz_usb_control_io$uac3(r2, &(0x7f0000000100)={0x14, &(0x7f0000000300)=ANY=[@ANYBLOB="ee0d06000000060a"], 0x0}, 0x0)
syz_usb_control_io$uac3(r2, &(0x7f0000000140)={0x14, &(0x7f0000000240)=ANY=[], 0x0}, 0x0)
ioctl$KVM_SIGNAL_MSI(r1, 0x4020aea5, &(0x7f0000000100)={0xffffffff, 0x8080000, 0x8410, 0x1, 0x1})

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$uac2-syz_emit_ethernet-accept4$tipc-writev-ioctl$EXT4_IOC_CLEAR_ES_CACHE-socket$packet-fdatasync-sendmsg$DEVLINK_CMD_SB_PORT_POOL_GET-timer_create-timer_delete-socket-inotify_init-openat$fuse-syz_mount_image$fuse-syz_fuse_handle_req-getrandom-syz_emit_ethernet-close_range-ioctl$sock_SIOCGIFINDEX-openat$vcsa-writev-sendmsg$nl_route-seccomp$SECCOMP_SET_MODE_FILTER_LISTENER-clock_gettime-clock_gettime-timer_settime-fcntl$setstatus-syz_usb_control_io$uac2-open$dir-syz_emit_ethernet
detailed listing:
executing program 0:
r0 = syz_usb_connect$uac2(0x5, 0x83, &(0x7f0000000140)=ANY=[@ANYBLOB="120100020000000882052500400001020301090271000301f81005080b020001052008090400000001012000092401908d9c6ffdff0a11004708240a0000057f000904010000010220000904010101010220000905010940000204d80825010230cc00000904020000010220000904020101010220000905820900040d0700082501010f041000"], 0x0)
syz_emit_ethernet(0x46, &(0x7f0000000080)={@multicast, @multicast, @void, {@ipv6={0x86dd, @udp={0x0, 0x6, "010700", 0x10, 0x11, 0xf91b8c0b3e328651, @dev, @mcast2, {[@srh={0x2f, 0x0, 0x4, 0x0, 0x8, 0x10, 0x8}], {0x0, 0xe22, 0x8}}}}}}, 0x0)
r1 = accept4$tipc(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000040)=0x10, 0x800)
writev(r1, &(0x7f0000000300)=[{&(0x7f0000000200)="c99e13047729cc2d8230a4eb2edaffa5037dba4ba384c9fd5afa34f528c368a0e528efdd4bc1c4e13b4267d8f0097e5d750c1dab469b04ce5bcc5dfe82bce31c380ee84adfd02f0010d80f0dc52aa42fbb6f92d12ef79103e64e2e3c3d8130ca3dc2e7ad726afe7826e8141abe8268d7a98104ec2fd6a541a47ebd227483d57bbb5b83f6af7a1b50c30c3772bb12a401cba841608ddd2e29dcc398f6c9de454d93db71758c6d2d4744b713b4c36e8b6dbedbe83acc8617a66c80384e126826ed9bd7185a905a447b2d3fb6e3b70b2ae233783dbc72789340bc51d0cba84a73d466b0d4", 0xe3}], 0x1)
ioctl$EXT4_IOC_CLEAR_ES_CACHE(r1, 0x6628)
r2 = socket$packet(0x11, 0x3, 0x300)
fdatasync(r2)
sendmsg$DEVLINK_CMD_SB_PORT_POOL_GET(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000180)=ANY=[@ANYRES32=r2, @ANYRES16=0x0, @ANYBLOB="000327bd7000fedbdf251300000008000100706369303a30303a31302e3000000000080003000000000008000b00d0090000060011000700000008000100706369001100020030082e303a30303a31302e3000000000080003000000000008001e9621ef000006"], 0x7c}, 0x1, 0x0, 0x0, 0x4000000}, 0x48050)
timer_create(0x9, 0x0, &(0x7f0000002c40)=<r3=>0x0)
timer_delete(r3)
r4 = socket(0x10, 0x3, 0x0)
r5 = inotify_init()
r6 = openat$fuse(0xffffffffffffff9c, &(0x7f0000002000), 0x2, 0x0)
syz_mount_image$fuse(&(0x7f0000002040), &(0x7f00000020c0)='./file0\x00', 0x0, &(0x7f0000004300)={{'fd', 0x3d, r6}, 0x2c, {'rootmode', 0x3d, 0x4000}}, 0x0, 0x0, 0x0)
syz_fuse_handle_req(r6, &(0x7f0000006180)="3ea4e4305830d12dd9009ddb857b480e92a48b3e45093694091ed788285937ce7b2473522335a690d828b02ab613f956aecae781037db019ffda49138a514ee99a088fd6a2a0028ea055aef75e65cdadd3589c49eb6088bdec10b6d405a915a037c1f8037e1b9301fe4296ab789db8c69c3636af08fbaffd5106dd3788c626c35510cc0ebafc64e8b300d0ffa3bcea4d2e036bbc8dae2e46312e9a637b3002b8931a66cbc28a30ee3287a18f1d162a5985f7ef467a43a807cb75d34504dce996e2a3f1bb43e867f141ed07ef08e0aea605cb5b10346efd6b41a23ea6741dba1e2416380b330788486bba4e359fc0d094cc5301530c1228fcd0e378e0260dbdd56788ad718cac668467d4c50a9878c501cabe3389dcf76acf0267489de4aec621656bdd3878de387af2a3dfa7dbf460daffbef878ce2536a57b05bc44a1e01ef54cca3ad250298c95a52ae9927030eb1096e00f265283a30b4ede2c934dc62c46929761e230567d2ba5999495a5a0977e3156a44365b177a07cae07864be9765ba56bc7ecb29264e6dad2e41eebfeb1ef4115b923c49a8e0919db1de67b1cc4c2f30a672d64efac91e63d7bbf75784aa49346338b22504452b36266eb5e924d4b215ce5037da7b98f09a8dcd086f36787cdd6fab9ce916d12b7b939f113be8b1872a75aa0d8977fe598227998c8b5fa3be8831006f6071d2522b1c9be03873844b0a6e2ca1489f2391981ed762f743e4bc35fd1ca7158bd995a7b801d8525ce381de5497916d59183636f72e9b58c72179f678d1d4434a1fd39d304c3b62cfca763ee8c6108bdca364a438145775a76462927207a7ae654801635dfe3c1915d2ab57a11675724b17c0becb9b20f95d5beea1dd5a6eb66ea864a7d22bdefdc6e13a2a4a8c7780b4250c92dd9bd99453f24268cedca6963ab64c024e56e6f3ae74cf8d1eb5bc3c7292f5fc7d37b4c48ca981b8f54528dedac99a19c1181698b1982668c49b1a6b55142944a0edf891659ea82570ceefe2ca50a95e7df6496acb6bd979ae4b5b6327a201288b8ddadfe0cb91bdd64e74f06deb0133385f5c9cb6e8e554e4fd29126f550adc440e6d42de1bd3ba0ed5d0ebc91bdaeecc7f253190a21eeb51a14b2d949fe86626a88fd33ccd40379f67de81341d225a116e60770ab972ed872c124cd7c0db88709a48487c1c9fa6442997431b99a1ac224a8523430ddcfd699ad27e16bbb54db40785b869328e8e804ed5fc2f4b3e4548a9e60d5b73b2ac8564e8424e0dd292924feb14fb76ed19b1d76edafb1bd5585717a9eb73a8bef605e3ef3f6f8518faab6559f5b4b7d2c07f73edf67d3780d8b5b2042788e5d2f7c7184a80a1951323632b62101094bd80acfae621e56cef19cd059c9ff72fe564944bf8063137fdc7905cb63489cf8d250bda94f453c94fb2f6f33f972c0ffc4830bc8d7fb98c4ed8ef2fa6e147002d488d97122d579a9b214b09f792279021a20a36a05c74c9a668bbc4ee5bba0d8f7e96fe9a61feb01b7c0537e47894c3e7b5d19ce1568f8d9f49f3adf9c02ac941a3edf68c841f29fbe82450c2bbdcb7270dd2f5722666bd21c0839541c907ff43da0a10a05e47ac636d4f9c59e2abfb00d31621ac3f0455723563e402bd3ec56a2b7e59a82262119b02eedda2baef71a5d5efd2533b7e6fc01d6cae9d514fe63b30fdbd92548760f876f8d77e7fd8500f83e6f4e6290e4df64c73d6ab61737797b05235dea939163cf55f322939014acef81d248baa46e1ffbca5a699f0824988b4313ae222bc8d3a3c1e875054a9494c9beac817179749b5cceabbb7cc40bdb8e18d598b683943a61fe105b868896d78e1e3a802774170ef3c1f339b6d20cfb5a260fa197aad2e18146ef53fa9c783772dc9e251c2140fe89709d007c5343681cdf4569d5f3190c0d799504aa0a9001e26a11708fbe929f63ff691a3a0c7a06125d3b3d13b3241abee4fa8c6d27b26eaa58b454e34fe20128a15cf7f96bfec32904af4b2e04c26bf9393d45b0d66a1a2f15780a67ff34daa1bad27262ec78f27f9ff77157ed5201bf257e1d1d06f2cd3a4cbc02bb9003caebc7e7e9fe7a256de9fc2cce105644c833ee659e3f6d526142d154a881cb70ba8df353a5714bfee5480cf8bff86c62c3a56d45f821d99413f8ea8207a41b7d577e5a1788d051c8c19cc1fc8be844f18227b7eeed330a213a58009c7ea3cfd5c77093b5315c90d36fe15ecd9d9e7e4208aac31abc3928d162449ee68f04aa2aaf5b8711529b97944a863085ed6b59b53b2ef8a397733d5207eb27a81c646eb7079aff7403181b0d658abcdc3445096844b3139ee23cb30f9527b5c84105604e8aa57b32e0470dffa95719415b74ce519ac27b20a38045a9792043d3c5b426deb70b3418d9475c6b85580e7e414c5a9ff35ce7c6fe2f2d5ee8d0aef619d8c2c06e0af87a9bad9dfa2f6ddb57c2e636563a9ee58c8613be2b329f4c16efbe56ae671e712e90712cc4f519276cd7cfa3e421e87ace7e5469665b4345322c77de68639a6f561a0d203d4823d4c3a84f1b2b04c60cd2fe855652c1000b0f5e1bcc2355496522a5046a849d407b5d86123432a41d64b549c1713dc3f0b4a787420c9d3dd3052dbac55dc15ca6584d08bbcc7ece7144fc179d302c5e0833b1f667e0f4110ad9b31f5b7e19e11fc1bf5ea0f9a81806ab5bfa8caff29b84c53c04a85d175c05a74d55b548ae69bb365760ebd841cfd094ce2d7cbf447285f53f5e7cb4ccda0a607c9cf7c3aec55966aca8b8ce33eb30a138c3e4d85e4def697e0e00defa03f2c501010baa3470450bec0acdfcdc7f530584e7c2600ba58722303a11c9387edcfbdc85f1128155374f9844f381c2a8a15bb7df67db46f30b9232d3d6037d86dbbbed316bcc5be6fb3ab78a19c9df2889188c7321ffed7795dfd67f3853e516cbaef5d079aac33cbd2cd920b560945744ae03611257ccc66e9523de5282efbf9871092795c05685cfe8749ff4a4cf42aa19fe4f935a71ba462860f1243824fc2888cccc6866f1c81f05bf993b58621cc8f9c6e72a7db971e1bb40632d75c119acbcdcb88b5f1ed4fa5162da82ea66c21f2064867d86abf308a1c65c0a16879d56e2e76ac4110acca20be3abb731effad3aef7f0da4acb9aed0283111670d5ceeba5a551dff13de90acc9dc3176923ad1791a73eb41a3f5c260e4df26a1b8782fa85e5cbf5c20a62bec97da4096264fafafc9f5dcb9a8ca2990a144d6bd138cddcba35fe3cd2609f0189d37e2d76f6d96ea2ba1d5ec9b42c94f254904cd938ea2004b43a111c2f5b53eca1bdb68f8e84fb5834098ea5dd6388d41c987763c8b2c9733f758dd74ce5eeda6cf28137a4d83a66f05d90fb1c9acb0214eb7e5d0869b201330b6fd1a2948e0ad0af0c4f3deb08fa875223ba27f1d42f63da665eaeac81ea9eca52ae1afaed3f4252976019de7d61059e29c8220e88a2d9a4e6202839c74db853670aeef953e1aa812889e4f8e153f9859af16f130053024a8bac43fad387cd526ef42bea5cad61230bbf89db7946a03101d18dc1ae46d046212ec5285564e65d876283fb937d6e38caaceb5716c8b2628b3a349058fe27fa58d53d6e5a769996217960e50846b2cd1b9fbc686f157e19d69a2050098097d45c2879e89e6fa3c5c79339fa3881fd228c29588befa5eb769a1cc1b67e8426b386ee0e6a80d7dd261b0ffb14b321190f1a390c6a0e8052a750d4cb587720ae43f6ffbd7f9328985b2aece118d4838c2eb55e8592823f74550b5d49377464890903f2650999fecb01fce6f6e51eae4f193bfab5f35b854cb0221e75898f111e94d5861fb15086889a5f804df2f7fd41cd49b663d352c59c6e8455f8287aab47cfba4d860c81ae1f61eb8bba8f18bfec3da3eec80bf39a6ff8d028650da69c108f98cdd8359756ff2b911fa688131121523187f1e449baeb64e332558c9d5ad9794e514a4239fe3277749506d69b3ba9df2c48d0111c526674e1ec144de88c58c93ef06da80e14675d0b14842a1ca644af3d7fd5907a46ae58df07f060088573683d14ab5310d471e139a47f8080fc282f16eae908671f35a9c1a7b2941ec86e85e15207e824437f8f79b173cde14b9fdcb9ecd82b224d45f724df18760a2913d907ed48a696367985713ab99d2416213f9991766161ce075aa6da4a7fba3a47c67d04ad7e669afada886f046363fb03a0cc795e5a1840e419967b1a19f40be8bf2a512015d486d00c4026ea86324b5b541ef8388f070800421c137d8ebe7c9a539b529a4af69165c1a6ea23534ce8efa7efb2ac55969df429f3b32d2f2aecb5087359c1b83224e4cfa2c583a1e147dc0202334a2c953383cc69e3a807299d86358b6f42a499eaa5d5680cd670fb49af6488c7cce6efae45682f98d63371eced65de02a82bf560a335ba630283dd77bd3d15296bc21bc337fc1b6d34d77ea7f681055459447f01b65623218dbadbd1958a249ebb76fea35d56299a017c4d7920fb0433d5769bc5130d8a5ed950f8084ba0036078374b82ad14a232f137214bcaa82ea7fcf7393ff4226aa1effda1d44a6100896ebcffb9414baf53c77c84113ef99f89f9f282b19b0e057893ef9c81399e1db0e3a25549dbdc69895e5eebbc545e468401d18dd20afd2913f89c3c0d95d54d5145f5cf434287e01b73b2646a7dc42e0f64fcdc1f3853aa41a6242c6cbafebfd62d147dce9368259beefe4d28179750893fcbdab5956f582372c1c616db2a23537a353e08e275fece1a7c0c0bd9483160fc643ceed9d687d520e944923f1eeccfe7f2e5e1c5876810efa0deb7f00c8f606ca5c14e3bab922243d013288622cad6667696e6759742376f7546339ad37a9246c98a6500686aaec51e2391285e7bdac34fbd4a1df2147bbee2d56c7189b4aeb3880bbc63e6b922b27133497be09318b064166ee8b5ca1c360dc510592bb3077293ff7e48bbfd2221a8c823eef8e677b51b40c7a8bfed1def9e19af5a418b65567ad9cecf4c16232683740dfceef0bde563a0942db0d77493b2d683d413d9fbd0ac8fca1ecaf6e57fd7ae680a493d8c697d3cc038cfcfc55a9a30152ce450dfec029a4edbd38f10222149a87d358f881847d4daf8b182d6b1313d616a767dbd9d71c7a3ca896021216665fcb2c8fbddb593013118cc8ab5044bd6f99bb278ad871917c9b1684cecb2d0e8babaf33fd98c02d8451aa48f3b2a6d6e9a5d12910c7aff613cbcdda418a76abff697229b47783577d0ce2f0041e1360a10f607612405b9b06180d85617ff9c5993a986b32071cf4c43b97f53eef9311929cb8035ec5c2f65cdc40bd757d612de5b9a7eca6e7e70365dd47256ff9f6e22e91ff22bbbee51e153d5321dc76ee8a664505da2039da1fc87e3727f085a47ce3eb52b95edb41ea295b79752c672348621e4d49c48b7d065d116cd1ebe6203e9ed62a9d3367eec2ed7cf3e4762b5f71c6ab34a953482414b762a455ded6e0ede9e07c3b9915aa51aded822c57a72ee3ed236b7c8c3b26db5092baba5d4d385d1e3c0e0d860da91b33a85c20e30da31b890f85a88a5c105e8aa32d6033beafff9ff510a7c7fa566b86eb473c702fcf08449c581650c42b90843b1baabbe95b476983fc98397abb52450a65505212b25c94a2fe3d64816eb9a76e8e8e945b7dd544aa039e61fc6331d88ee4ba297bf0d59a04c95579b62f316da65064247cc1d45792f1510103708d636c53f201b1dc2004a479bccef0bab9bff46eaaedbaa445417ee040c568ca95e606d9d9431798e91491f48434551cb8d8b4b81b389d43845e04d98dc0edbb74eae8d13ef3f662a26d7e548218952bfb4d697bd5c3700cea776ac3eb0ebae5c101bc341688371e31bda8cf7819ff4fa3a478faf97582d497112e510b2986f4238d3d4219024ac82eddc2dfe6d42dd1652ec09548768cb0a46e475493a75a75c54c47ec1e6265d34a87634e09394c77a41b01f374a79333951eec0423e037e0a5dd3cd12dbcc25fbb028613aa7382bade63c1d300b0a6d021f65fca7905e622eb54bde35d59c169f970e3de01272229e78382c7e87cc052da8b7b2dda1d29bc42fd2b7091feab28c14dd9cca5c8946afd8a466c681025128d3f752a8bfd2a8bc0c1bd89c01ad7803d8fe9ea1247e25d8ec18e0c18b8e6293b85cca5535a075b799519623d98a9bb393df5f17065a7f11142320e3138fae891346ca10040fda33128909b485ca1fa733f7d44e424d8dabe3f38d4249c3cb3f22d10521e536be978ff2dee276098db46b56e782596a68d5144ea1f2dff227956f4f860135ec2e0cee212a51b63c60e775fa2e0a7dbcb6f3d27f09dbaf55343bd2af3aee72ed39e15919d3e5b2bc67710c88a68806f1713313887e72e6af52f7de7009399b81cadfe76bff2b61e53b259218bf854d52644bd8e722e170bf9b109ee819b960b8d9da0d2dacf48083bd8a766d3818eae48ba408e18c63c8b59e282553a71f62083e6a007ffa6ce8ad271b7202da28f1d6be4332f404c1e2b98acc4d783785c1eab14361db6382594a9bbc3304f121f198948c91fe58d96aa6a8e12cc3f46f283e635548d96341fe3052aed45be1970010bb76325873b7902f0f73bf21fbe0a5cef6ec0b50902174c3515c89421a496737024b22db73916c4a41d294b8eec3913421b784a2629132461d4e6d5498a88b87abe2e385df8688b70b075e2139def62c18c60f96c1715e203850155ea7bc8d67e77428e9c96a3edf06d984f29959217633a907e7aa0f9792313fd30c6f767b79981ccbf1bf87942cf082090761f9faf5afb90f56a80908cdf34387d3c9ac4d27321b8b2c64f66eb3bc0f7937b0771b68eee977d5f3682fedb04e51868e4e588eb625a71db0057655af478006000000000000001129d95ef85921db8b584af8e389297c8d59eb4f5f784474e5e293f48c5cc45e490878c31d32bcbfc88d51f96eee3cfaaea0e443505825a52603a06aa8cdc8920af575650833e7715dc2205ecba7e304eb121cb0d65609b853974fe9ddee9b9cb9fe4d1c08fed5b2f3d0f51e104635dba4857520e0cf319438659cb765bbbe6bed3a6451a85e3efe32707b2c84d7fbb99cd80b3529605b221b808cf34bfe776607cb4074cb9371306c74f3c38a4b48f8a8da8a02be28a08f5a0da463aa85863ef54276c4f414667d3812deb6b0e882381932585e3d08c6f3c2c13b9987088b345e1216b3d525c99820c0b6688d9c0271f648da1881e58fbf5bc02acf226d9e90a64911ebb27b415f3ff4f7bdeb9fdd5bb1f39a99f909f80af444b902d1bd96562882da6e0ce9efb2adfdcd78803164a5ebacd12d6246571066e8f05a37d9eebbf41a88926b6bcb287f4ef47728ec00bd96ccd72eefd5815fa9e2840a100e08be686e6b664c938a0eaa7588e87d69809af59268f3c4e92a98a663f83481668e0f3ee684a6728fa38c75cf66ac73dcee17dfa5ca94601b1e5ff91215492270e24c4abe4dce8686e99d3c64e7c3f5972152da99388bb59e282a1e300627e542cfea5a390dd11f0c95f52702982c0e8c690c1e7bca2ecffb7287b617090ace76f818fa8a9078978e1e249a7f4fa281fb3174fec950f6b9afaabb3279e22c9c37a4ea1c05df6c49c1b89b2ed23ca3673f388f502edd3edc358549c039eeec6ca4ae3404bbfb688c3d90cbd4a092e035ec48c3bb1ef08e2b1b6326622419356669a8399954dcbeddb197de9fb5407e105d800b6cfa91de41b2eb3ad2ead5487b9c7b11e76f2ad08711b00cb8f3da6794398a961853bdcbde90086ff13d69154442c8caa36d56862581a9f326f85c6722be613caf2329d4ff9734c99016390e793b6ef90c540ad3c7478d7b221a71e0f10575ce5f666e2425903f3c358c4dc5b29133da5027b541898b501cfa144e166d1b1d7470d05aeda051a1cd5bc3bafee7ccf8564682cd728d0dfaa4f731438de2ca3095f105c0bad8f3b039a427729ba1f96238403e3d1c8a2bdf1730253d6c78e42f4dc5a6079e95ea5013a9d335e628ee7d2dd1c7f2d25342b2be5c9fef9fd5eeddc8665c1a39705231538d0f3a19e9c021a7d6d2d1c6b3f4b483e6198ca6d269db9e82746c5ea36c70f29fc98462ecaeed27547de6435a82112b2ec9a8c1e759f82d04810824d97f1ca45071f6ac242b90b218f2c2c9b4cd42b56dbeb5e947a8e8b476749ab8cc7d910fdb17529440107a565737b69440cac0b418858d62fb7af804c5e483faa849a6375ea62581eff9c4dd3ccacdbab7af9fe9b2be75cb2e322c296cb91a792ab424f77ff348d07dfc2a5c5af476cc7c44de169dc1702ddbd5e4d7fb11172d8eab6df3b70c7b66fec5177a533ed44641c291ed9d8cea6832c24c3cd279c9f3bbb355fe47364d23af48cf8a86d27727ab2adf771641ff447291fa9ba99cf5c2cec5c968d565aabe16cd07d752f7d5b2c78e77cbd2dcb2bc151a35207026c98b755eb0e6fdc94628de7653f7a461e0b51f5c089fc4db6deca2243e3e5532bcc279dfccd2651db61565968dfce800e995626a4bf045e3522b996dee4bd10980ede518f4a5d986f41c53f0e2820853337869645c31c41c9563f1c01ce651e916f7472b04929feecd09ff768bdf74f0b40a0c58555f2a390db9bb7990dc31f995ac4bbf1f90271cd4b90ef7fcd096c34040fbd4a74aefdc5a6b8edf38da8084c87564b10e6e2cd7d0ea6849cff02c06e4df741c278f0d29ed6c6c739376e1c262f9d780fec67aeb519cfa669c9d6487ba527e0ccf5012954dbb3ecdbd3f5be1c018784cf83b3bd040e7116be8401be644a7acf7761a9a18f28c894662f8dd13b1aea577c81bf2447753b57853765eae4353b65475e10c3b36bf0d0dc3199dabff76a06f70b173fac295db1f52100547050f052b9d287155bc8b04435ef35902395ae894bed80080fd3becba14c51da2cf34e2999cdbbf652dc6862e8e65f675b1d7e5da57fbfb497e8111dfe77164372d707a5857325c47afb462f7a38f617d158e8a28fda6d121e532e44b2ca9cef3c34a7a8d748c4edd061b62f6ab7344317b0dbd8ce4836142719a7c0835901236180840246527f3ba39cb64614e95d4af008d281b53853532abdc663051d041af7d1aa9766ab185efb77fcf278f09577e01e507a2034f435b66cab7692a1733d1ad3d5d566396fcacfd1bbdf542e35136a49e2d3cbc21ce157ff051a0c1b636b159f370366565a8ddadaa1502b425ef27a1ff070c52bd17595ee507dc984aeb14d2aba07fe786f3733e3527d5bbfcacfb09d3d5cf94738d1b13d2590b1bb1ea2eb400e9605f90b4b23c125622da85ece62e4493938099a4058e0b3dda2532c6d62bd033ee7a1cd7683620a6501e3ca420f9a64f462bbd4f125d154beff38c8f4a1278f9d6194289234d7e9fd397feb24fe1a8636e334d1342fa590b4578b3c677aae57119bea99ff7a5635b98ee867a282e5f3444b70415c0c33942f041c28589ba0de67d7b7ebe43ec6656f60c82c9d75bc8dac80791cd59a9c576ccf726cc97befcb9aeedf32b9ec6f4aaf043ab9bfc4712ee6bc4906dcd9766658ce56fea361518bb54ccca4bbb82eb64e417a37899ab31736ffddf51f97aa710b29f18ada97a200bd65d655364149db2c41cf32bac2c4bf799bb2356335a4fa01016da72bc7dd99b3f902f8b80a89d19bb04f8c49cdc5a78b17b52d52c06f18baa9839332f3ae59909748cd4dac49c1901f3c2dec64ccb40a49fed1699fe1140f8602384a930fed2ed6f9c120c9e6158aae34d8ec8a4fb0cb7ae19c2865e3939b499b5a08183c342ff4af2b3400980879aaa6e29784e90bfc915b9f31e79b742420952bda798a8b88c77134cc5752630e57fa23f9b174535e3244c9fa475d1b2829fdb768d22d6564e55556fd3750bbb223f3b5748a57c899d324f359c3842fddf8055e1b40588365393b84aa798fcc8b321ba1eeac33d340eda01fdf697e81bb5b55852f6b355a7dd2082cf087949cf9fbbf697af8f81c20f25a1c0b92fcb06dddc50c5d9e989a15a2fb7d0544f1844e3f46711165bab1658615f440b71f93ddb713ba91e8f4d91dd17243082d61cf43fd08861d42f41f1ebc68be633bfcc79b14cdfd7b171ed4b282a926055ce26e7fcf40d1e8e7d05ce6660fdb825dff76d735bce7b43c98e5b6c4763ccff99b45c1439859ccfc61756c298eef7424c465aadcd71455448827e39e5ec21293f2007617fae73b74de8efe349c726a9dac11524720fed5214101b4f26ad6fec2215a54980512a57358545899c6898692d805134d606b3022d16954747d247db0093dbec65fa7d101439ccee58a8790ee0daec0976a743d8f7aabbaf8d9945e95ceede27387e2faebe8d1eae6feedb78cdf016c6c5888e56ab4830b002513f87aed9bb4988784c0debd8f566ea9c8467bab4a52a52de9e262f16ffe222ac1ac6f6d5de557eead4554f03bc8ebd681daa2ae6cf93587d32dcf53a184f5019f0fad0729095a5788b04fc6987064b80c6bba46e36fdd767ca9c6819445e95ec7d60c3f9b2716c206a589e413fd7bf1d8fd3f1245ff54d6db4d7b45f20cb4f6dc8bcde65484d70ac38921f89261d27fc85203b801867850457a3b61fd55e805bd3c40a336bf87101d8914d21c8c968e934ce265cca3efe21d3ae1b78848f7b50a9a2e9b51bfca2ff7e0292ede0aa013af1c09242d6e53f23a216b8ccc64402a46eef3411c06cabb5435b1d2d8ddffc2c3dbbbb0e707e03ae0c518414dc7304dec25084891255011dd133d235e663ff38ee78c9abb93c9f692c5195222c881e35431d638367c7e570c962646424dae41fa2b2af118a93add1e088aaf7e1dd108c7096f4f9868a8af02cc15db7493ef011d320c6d64f6de56a51748e9dc4b7bd1bd515d3e9522a65e87e25477f71a6bddaf7ee5a01d424ac153efaa52f1e56fbef9f66efe5642f7dae41e419a64be65635a088885717942d475daa806ab151b087525446227d0d75a493d5a98486365b3981b3bb77a7c6c6ed44a120a98d0f2d35e8ce83837004c39bf09ac5723b1d7d7392f6e94462e86de853c6841027c697236331e19aa45693b2dbeffea7b00f0b284e49b04935327b9808576b397cb48d6b1960d06058f1cf2d0641d7c99e79dc9d47efd1d5bde85bb51ffe4a687c2d364713ee0ca4981f371c7a418b61118431984324f84f8cdd6e2849c00c1f14b1732a08ffa08d39c312dd809f15c8a651cbec053e870ac04c131946d80a8e684c8f309881f98220d7e532773d4d8304ae53428390ca7914a408030fae3b47619352d8a1edc33856530f806b8efe61bedcbe199aca4dbe79bdacb08b361e31f59c00463071fb19edbc0cb84c59130770fcd17643f7c37c1f54753f40fbeeeee31b22d89944ac6ee913e63145e3e35f804d2cbd08d9f2e278be717872a4fae63d8a8b462f715c3191d394a67a724fab2e4ec31c439fb2fa01295aeb56910fd406316bdfed587c1b42a733542a55793303e59dc23a40bc9b9f5713a3dc21b95b591ac9863f31a4ecd160e7d9b7b2ec2b137e67", 0x2000, &(0x7f0000002140)={&(0x7f0000001580)={0x50, 0x0, 0x1, {0x7, 0x29, 0xffff4ff1, 0x508101, 0xc0f7, 0x2, 0x8, 0xa7fff, 0x0, 0x0, 0x80, 0x1}}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
getrandom(0x0, 0x0, 0x0)
syz_emit_ethernet(0x3e, 0x0, 0x0)
close_range(r5, 0xffffffffffffffff, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000340)={'bridge_slave_0\x00', <r7=>0x0})
r8 = openat$vcsa(0xffffffffffffff9c, &(0x7f0000000100), 0x842, 0x0)
writev(r8, &(0x7f0000000580)=[{&(0x7f00000003c0)="ff071d6ce89d96666b08e828be032f55097076e40148c200000000fb00000200000000000000", 0x26}, {&(0x7f0000000bc0)="d18a876f8f46c153dde8db040cc7e763ba2fab29aca1a1a2e0a38bc757e61b5aab090000000000000051ed697ff263589940cf437f1efae8e2342bb1adc1c9d8febaecb3aef2d7650869408a287d92d06f5d660a68f3f0a39e926d8dbd6f8d9de335fe4c520feaffc62c3435ab63a2f77234987d3b1130d31bd78fb28883050a1b8dd4ea2cdc62703eb86600dba7da620ad621c21b75893f334cfc82a3931e8cf3dfa12d31fa32797f5a940475fd8947bde48c8126a44eb9d229126e34e0d8aace15047ccd5bd0932270c88dac48e0bbb2af55a35efca697fe5435b19f", 0xdd}, {&(0x7f0000000340)="a9", 0x1}], 0x3)
sendmsg$nl_route(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=ANY=[@ANYBLOB="700200001300290a000000000000000007000000", @ANYRES32=r7, @ANYRES32], 0x270}, 0x1, 0x0, 0x0, 0x20008014}, 0x4)
seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x0, 0x7fff7ffc}]})
clock_gettime(0x0, &(0x7f00000003c0)={<r9=>0x0, <r10=>0x0})
clock_gettime(0x0, &(0x7f0000000400)={<r11=>0x0, <r12=>0x0})
timer_settime(r3, 0x1, &(0x7f0000000440)={{r9, r10+10000000}, {r11, r12+60000000}}, 0x0)
fcntl$setstatus(r1, 0x4, 0x4000)
syz_usb_control_io$uac2(r0, &(0x7f0000000100)={0x14, 0x0, &(0x7f0000000480)=ANY=[@ANYBLOB="0003040000000403"]}, 0x0)
open$dir(&(0x7f0000000340)='./file0\x00', 0x44c201, 0x8)
syz_emit_ethernet(0x78, &(0x7f0000000180)={@local, @empty, @void, {@ipv4={0x800, @udp={{0x5, 0x4, 0x0, 0x0, 0x6a, 0x0, 0x0, 0x0, 0x11, 0x0, @empty, @empty}, {0x0, 0x4e22, 0x56, 0x0, @wg=@data={0x4, 0x0, 0x0, '\x00'/62}}}}}}, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ptmx-ioctl$TIOCSETD-fcntl$dupfd-ioctl$TCFLSH-syz_mount_image$ext4-ioctl$TIOCSTI-ioctl$TIOCSTI-ioctl$TIOCSTI-sendmsg$nl_route_sched-socket$nl_route-sendmsg$nl_route
detailed listing:
executing program 0:
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x8000, 0x0)
ioctl$TIOCSETD(r0, 0x5423, &(0x7f00000001c0)=0xf)
r1 = fcntl$dupfd(r0, 0x0, r0)
ioctl$TCFLSH(r1, 0x400455c8, 0x0)
syz_mount_image$ext4(&(0x7f0000000100)='ext4\x00', &(0x7f0000000500)='./file2\x00', 0x1018ed8, &(0x7f0000000000)={[{@sysvgroups}, {@bsdgroups}, {@data_err_ignore}, {@jqfmt_vfsv0}, {@discard}, {@usrjquota}, {@grpquota}, {@quota}]}, 0x6, 0x662, &(0x7f0000000640)="$eJzs3c9rXFsdAPDvvZOkSRpf+kTEFxQDLt4DaZrUYtWNbV3YRcGCXYi4aGiSGjr9QZOCrYUm4EJBQcRtkW78B7qX7l0IIqg710IVqVjQ0pH7Y5rJZCYz+TEzTebzgcmce++5Oec7d87cc2bmzA1gaM1mf9KIjyLeXk8iphu2TUWxcbbM9+pfj29ktyRqte/+M4mkXFfPn5T3J8uF8Yj446WIT1d2lrv28NGtxWqt8CTizPrte2fWHj46vXp78ebyzeU7C2e/du78/NcXzi00VHT/Tpb3l6985/O/+MkPv7ryp+rpJC7EtdEfL0VTHIdlNmbjbRli4/qRiDifJVo8LkfNnkL4Vu/qwf5UyufjaER8Nqajki8VpmP15wOtHNBTtUpEbXdJpwzAUbX/5n2i/hoCHEn1fkB9bN/dOPhaD3sk/fXyYjEA2hn/SPmWw3g+Npp8lTSMjIr3Nk4dQvlZGW8ejz9983jmaWx7H+L1u6MzcgjltLOxGRGfaxV/ktftVB5pFn+6bayfRMR8RIyV9TvI0D5pSPfifZjddBl/JYu/8TikEXGhvM/WX9pn+c1va/U7fgCG04uL5Yl8I1vaOv9lfY96/ye2+j9P6vtNHfwjmdygz3/t+3/18/143u9Jm/phWZ/laut/Odq84m8/u/yrduUX/b+Zp/VbVn69L9gPLzcjZpri/2kWbNn/yeJPWvR/syzXL3RXxrf//I/L7bYNOv7as4iPW45/tnqlWWqXzyfPrKxWl+eLvy3L+N3vf/DbduW3jv9EDyJtLTv+k23ibzj+afN+2WNyr/W/3Gxe8fzqs9vtyp/qePzTv48lxXhzrFzzo8319fsLEWPJlTJLuX5xff3+2d3jLfK8ruX3C0X8n3ypdfvf9vxvimqi/pLZhXvfu/Wq3bb9PP8bPkx+W+uyDu1k8S91Pv5b7X+ivjXil12W8Z/vP/hCu22t408OGBUAAAAAAAAMpzT/DDZJ596l03Rurpgv+5mYTKt319a/vHL3wZ2liE/y70OOppEm+VdGpovlZGW1urxQfh+2vny2afkrEfFhRPy6MpEvz924W10adPAAAAAAAAAAAAAAAAAAAADwnjhZzv+vX6f635Vi/j8wJDpfYG7H9R+AY6KXF5gE3m95+9/tFP9B/+oC9JfzPwwv7R+Gl/YPw0v7h+Gl/cPw0v5heGn/MLy0fwAAAAA4lj784ou/JhGx8Y2J/JYZK7eZ9AvH2+iecld6Vg+g/7RoGF7vPvrX2Yeh01X//7/ljwP2vjrAACStVuadg9rujf9Fyz23bB68bgAAAAAAAAAAAABA4eOP2s//39vcYOCoMe0PhtcB5v/76QA44vb90/9jh1sPoP+M8YEOs/hjvN2GTvP/AQAAAAAAAAAAAIBDM5XfknSunAs8FWk6NxfxqYg4FaPJymp1eT4iPoiIv1RGT2TLC4OuNAAAAAAAAAAAAAAAAAAAABwzaw8f3VqsVpfvNyb+t2PN8U7Ur4LaOXOtizy7Jr4Ze9wrkv4/LBMRMfCDsi3xvLzc7J53/0P5PG/YNNKQJ4nYyDYPPMAiEe9HNfLEoF6RAAAAAAAAAAAAAAAAAABgeDXMPW5t5jd9rhEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9N/W9f87JJYmix26yrw9MegYAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICj6f8BAAD//0v+Lvc=")
ioctl$TIOCSTI(r1, 0x5412, &(0x7f00000000c0)=0x4)
ioctl$TIOCSTI(r1, 0x5412, &(0x7f0000000100)=0xd)
ioctl$TIOCSTI(r1, 0x5412, &(0x7f0000000140)=0x3)
sendmsg$nl_route_sched(r1, &(0x7f0000000380)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000340)={&(0x7f0000000080)=@deltaction={0x294, 0x31, 0x400, 0x70bd26, 0x25dfdbff, {}, [@TCA_ACT_TAB={0x4c, 0x1, [{0x10, 0x11, 0x0, 0x0, @TCA_ACT_KIND={0xb, 0x1, 'mirred\x00'}}, {0x10, 0x16, 0x0, 0x0, @TCA_ACT_KIND={0xb, 0x1, 'mirred\x00'}}, {0xc, 0xb, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x1000}}, {0x10, 0x1c, 0x0, 0x0, @TCA_ACT_KIND={0xb, 0x1, 'mirred\x00'}}, {0xc, 0xc, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x1}}]}, @TCA_ACT_TAB={0x70, 0x1, [{0xc, 0x18, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0xd}}, {0xc, 0x1, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0xf1}}, {0x10, 0x5, 0x0, 0x0, @TCA_ACT_KIND={0x9, 0x1, 'gact\x00'}}, {0x14, 0x14, 0x0, 0x0, @TCA_ACT_KIND={0xd, 0x1, 'connmark\x00'}}, {0x14, 0x13, 0x0, 0x0, @TCA_ACT_KIND={0xd, 0x1, 'connmark\x00'}}, {0xc, 0x10, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x7}}, {0x10, 0x1e, 0x0, 0x0, @TCA_ACT_KIND={0xb, 0x1, 'police\x00'}}]}, @TCA_ACT_TAB={0x1c, 0x1, [{0xc, 0x1f, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x3}}, {0xc, 0x10, 0x0, 0x0, @TCA_ACT_KIND={0x8, 0x1, 'nat\x00'}}]}, @TCA_ACT_TAB={0x28, 0x1, [{0xc, 0x7, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x1}}, {0xc, 0x13, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x7fffffff}}, {0xc, 0x14, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x621}}]}, @TCA_ACT_TAB={0x38, 0x1, [{0x10, 0xa, 0x0, 0x0, @TCA_ACT_KIND={0xa, 0x1, 'pedit\x00'}}, {0xc, 0x1a, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x9}}, {0xc, 0x14, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0xffffffe7}}, {0xc, 0x11, 0x0, 0x0, @TCA_ACT_INDEX={0x8}}]}, @TCA_ACT_TAB={0x74, 0x1, [{0x14, 0x1d, 0x0, 0x0, @TCA_ACT_KIND={0xf, 0x1, 'tunnel_key\x00'}}, {0xc, 0x14, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x807}}, {0xc, 0x18, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x5}}, {0x14, 0x4, 0x0, 0x0, @TCA_ACT_KIND={0xf, 0x1, 'tunnel_key\x00'}}, {0xc, 0x3, 0x0, 0x0, @TCA_ACT_KIND={0x8, 0x1, 'ife\x00'}}, {0xc, 0xa, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x3}}, {0xc, 0xc, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x6}}, {0xc, 0xd, 0x0, 0x0, @TCA_ACT_INDEX={0x8}}]}, @TCA_ACT_TAB={0x1c, 0x1, [{0xc, 0x1e, 0x0, 0x0, @TCA_ACT_KIND={0x7, 0x1, 'xt\x00'}}, {0xc, 0x5, 0x0, 0x0, @TCA_ACT_KIND={0x8, 0x1, 'ife\x00'}}]}, @TCA_ACT_TAB={0x34, 0x1, [{0x10, 0xf, 0x0, 0x0, @TCA_ACT_KIND={0xc, 0x1, 'skbedit\x00'}}, {0x10, 0x14, 0x0, 0x0, @TCA_ACT_KIND={0xa, 0x1, 'pedit\x00'}}, {0x10, 0x1c, 0x0, 0x0, @TCA_ACT_KIND={0xc, 0x1, 'skbedit\x00'}}]}, @TCA_ACT_TAB={0x2c, 0x1, [{0xc, 0x17, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x3b}}, {0x10, 0x1e, 0x0, 0x0, @TCA_ACT_KIND={0x9, 0x1, 'gact\x00'}}, {0xc, 0x1, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0xb}}]}, @TCA_ACT_TAB={0x58, 0x1, [{0x10, 0x19, 0x0, 0x0, @TCA_ACT_KIND={0xb, 0x1, 'skbmod\x00'}}, {0xc, 0x1c, 0x0, 0x0, @TCA_ACT_KIND={0x7, 0x1, 'xt\x00'}}, {0x10, 0x14, 0x0, 0x0, @TCA_ACT_KIND={0xb, 0x1, 'police\x00'}}, {0x10, 0xa, 0x0, 0x0, @TCA_ACT_KIND={0x9, 0x1, 'csum\x00'}}, {0xc, 0x13, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x7}}, {0xc, 0x10, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0xa55}}]}]}, 0x294}}, 0x892)
r2 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r2, &(0x7f0000002bc0)={0x0, 0x0, &(0x7f0000002b80)={&(0x7f0000000000)=ANY=[@ANYBLOB="280000001100010027bd7000ffdbdf2500000000", @ANYRES32=0x0, @ANYBLOB="c58001008018000008001b00000400"], 0x28}, 0x1, 0x0, 0x0, 0x40000100}, 0x40004)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
single: successfully extracted reproducer
found reproducer with 8 syscalls
minimizing guilty program
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
syz_usb_control_io(0xffffffffffffffff, 0x0, 0x0)
syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0)
syz_usb_control_io(0xffffffffffffffff, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
syz_usb_disconnect(0xffffffffffffffff)
r0 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(0xffffffffffffffff, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, 0x0, 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x0, 0x0, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x24, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x45, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x33, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x7, 0x24, 0x3, 0x3, 0x9}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0x0, 0x0)

program did not crash
testing program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0x0, &(0x7f0000000100))

program did not crash
extracting C reproducer
testing compiled C program (duration=36.51758545s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
program did not crash
simplifying guilty program options
testing program (duration=36.51758545s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
extracting C reproducer
testing compiled C program (duration=36.51758545s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
simplifying C reproducer
testing compiled C program (duration=36.51758545s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
testing compiled C program (duration=36.51758545s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
testing compiled C program (duration=36.51758545s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
testing compiled C program (duration=36.51758545s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
testing compiled C program (duration=36.51758545s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
testing program (duration=36.51758545s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
validation run: crashed=true
testing program (duration=36.51758545s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
validation run: crashed=true
testing program (duration=36.51758545s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$midi-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$midi(0x4, 0x53, &(0x7f0000000180)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x8, 0x1430, 0x474b, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x41, 0x1, 0x1, 0x9e, 0xf0, 0xa, "", {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x3, 0x30, 0xe, [@midi_out_jack={0x15, 0x24, 0x3, 0x3, 0x9, 0x7, [{0x39, 0x3}, {0x8f, 0xfa}, {0x2}, {0x11, 0xd3}, {0x6, 0x5}, {0x8, 0xb}, {0x2, 0xf}]}, @ms_header={0x7, 0x24, 0x1, 0x8, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @ms_header={0x7, 0x24, 0x1, 0xfffa, 0x7}, @midi_in_jack={0x6, 0x24, 0x2, 0x6, 0x2}]}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
validation run: crashed=true
reproducing took 22m15.674087371s
repro crashed as (corrupted=false):
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 547 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 dump_stack+0x15/0x1c lib/dump_stack.c:135
 ubsan_epilogue+0xe/0x40 lib/ubsan.c:148
 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:347
 aiptek_irq+0x1fdf/0x2860 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748
 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
 expire_timers kernel/time/timer.c:1495 [inline]
 __run_timers+0x650/0x9e0 kernel/time/timer.c:1789
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
 __do_softirq+0x255/0x563 kernel/softirq.c:309
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:405 [inline]
 __irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:default_idle+0x12/0x20 arch/x86/kernel/process.c:718
Code: 44 2a 00 00 49 bd 00 00 00 00 00 fc ff df e9 67 ff ff ff e8 d0 f7 fa ff 55 48 89 e5 0f 1f 44 00 00 0f 00 2d b0 f6 61 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000107db8 EFLAGS: 00000252
RAX: ffff8881f7100000 RBX: ffff888100294f00 RCX: 0000000000007ede
RDX: 0000000000000001 RSI: ffffffff85409040 RDI: ffffffff85409000
RBP: ffffc90000107db8 R08: ffff8881f71573d3 R09: 1ffff1103ee2ae7a
R10: dffffc0000000000 R11: ffffed103ee2ae7b R12: 0000000000000000
R13: 1ffff110200529e0 R14: dffffc0000000000 R15: dffffc0000000000
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:709
 default_idle_call+0x71/0x1d0 kernel/sched/idle.c:114
 cpuidle_idle_call kernel/sched/idle.c:204 [inline]
 do_idle+0x368/0x620 kernel/sched/idle.c:328
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:425
 start_secondary+0x2e9/0x3a0 arch/x86/kernel/smpboot.c:276
 secondary_startup_64_no_verify+0xad/0xbb
================================================================================
==================================================================
BUG: KASAN: global-out-of-bounds in aiptek_irq+0x1ffd/0x2860 drivers/input/tablet/aiptek.c:741
Read of size 4 at addr ffffffff855b380c by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0xe2/0x130 mm/kasan/report.c:452
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 aiptek_irq+0x1ffd/0x2860 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748
 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
 expire_timers kernel/time/timer.c:1495 [inline]
 __run_timers+0x650/0x9e0 kernel/time/timer.c:1789
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
 __do_softirq+0x255/0x563 kernel/softirq.c:309
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:405 [inline]
 __irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:default_idle+0x12/0x20 arch/x86/kernel/process.c:718
Code: 44 2a 00 00 49 bd 00 00 00 00 00 fc ff df e9 67 ff ff ff e8 d0 f7 fa ff 55 48 89 e5 0f 1f 44 00 00 0f 00 2d b0 f6 61 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000107db8 EFLAGS: 00000252
RAX: ffff8881f7100000 RBX: ffff888100294f00 RCX: 0000000000007ede
RDX: 0000000000000001 RSI: ffffffff85409040 RDI: ffffffff85409000
RBP: ffffc90000107db8 R08: ffff8881f71573d3 R09: 1ffff1103ee2ae7a
R10: dffffc0000000000 R11: ffffed103ee2ae7b R12: 0000000000000000
R13: 1ffff110200529e0 R14: dffffc0000000000 R15: dffffc0000000000
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:709
 default_idle_call+0x71/0x1d0 kernel/sched/idle.c:114
 cpuidle_idle_call kernel/sched/idle.c:204 [inline]
 do_idle+0x368/0x620 kernel/sched/idle.c:328
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:425
 start_secondary+0x2e9/0x3a0 arch/x86/kernel/smpboot.c:276
 secondary_startup_64_no_verify+0xad/0xbb

The buggy address belongs to the variable:
 .str.57+0xc/0x20

Memory state around the buggy address:
 ffffffff855b3700: 04 f9 f9 f9 00 f9 f9 f9 06 f9 f9 f9 07 f9 f9 f9
 ffffffff855b3780: 06 f9 f9 f9 00 04 f9 f9 05 f9 f9 f9 00 03 f9 f9
>ffffffff855b3800: 00 03 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
                      ^
 ffffffff855b3880: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
 ffffffff855b3900: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
==================================================================
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
index 548 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G    B             syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 dump_stack+0x15/0x1c lib/dump_stack.c:135
 ubsan_epilogue+0xe/0x40 lib/ubsan.c:148
 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:347
 aiptek_irq+0x1ebf/0x2860 drivers/input/tablet/aiptek.c:763
 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748
 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
 expire_timers kernel/time/timer.c:1495 [inline]
 __run_timers+0x650/0x9e0 kernel/time/timer.c:1789
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
 __do_softirq+0x255/0x563 kernel/softirq.c:309
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:405 [inline]
 __irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:default_idle+0x12/0x20 arch/x86/kernel/process.c:718
Code: 44 2a 00 00 49 bd 00 00 00 00 00 fc ff df e9 67 ff ff ff e8 d0 f7 fa ff 55 48 89 e5 0f 1f 44 00 00 0f 00 2d b0 f6 61 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000107db8 EFLAGS: 00000252
RAX: ffff8881f7100000 RBX: ffff888100294f00 RCX: 0000000000007ede
RDX: 0000000000000001 RSI: ffffffff85409040 RDI: ffffffff85409000
RBP: ffffc90000107db8 R08: ffff8881f71573d3 R09: 1ffff1103ee2ae7a
R10: dffffc0000000000 R11: ffffed103ee2ae7b R12: 0000000000000000
R13: 1ffff110200529e0 R14: dffffc0000000000 R15: dffffc0000000000
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:709
 default_idle_call+0x71/0x1d0 kernel/sched/idle.c:114
 cpuidle_idle_call kernel/sched/idle.c:204 [inline]
 do_idle+0x368/0x620 kernel/sched/idle.c:328
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:425
 start_secondary+0x2e9/0x3a0 arch/x86/kernel/smpboot.c:276
 secondary_startup_64_no_verify+0xad/0xbb
================================================================================
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	00 00                	add    %al,(%rax)
   2:	49 bd 00 00 00 00 00 	movabs $0xdffffc0000000000,%r13
   9:	fc ff df
   c:	e9 67 ff ff ff       	jmp    0xffffff78
  11:	e8 d0 f7 fa ff       	call   0xfffaf7e6
  16:	55                   	push   %rbp
  17:	48 89 e5             	mov    %rsp,%rbp
  1a:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  1f:	0f 00 2d b0 f6 61 00 	verw   0x61f6b0(%rip)        # 0x61f6d6
  26:	fb                   	sti
  27:	f4                   	hlt
* 28:	5d                   	pop    %rbp <-- trapping instruction
  29:	c3                   	ret
  2a:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  31:	00 00 00
  34:	66 90                	xchg   %ax,%ax
  36:	55                   	push   %rbp
  37:	48 89 e5             	mov    %rsp,%rbp
  3a:	41 57                	push   %r15
  3c:	41 56                	push   %r14

final repro crashed as (corrupted=false):
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 547 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 dump_stack+0x15/0x1c lib/dump_stack.c:135
 ubsan_epilogue+0xe/0x40 lib/ubsan.c:148
 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:347
 aiptek_irq+0x1fdf/0x2860 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748
 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
 expire_timers kernel/time/timer.c:1495 [inline]
 __run_timers+0x650/0x9e0 kernel/time/timer.c:1789
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
 __do_softirq+0x255/0x563 kernel/softirq.c:309
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:405 [inline]
 __irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:default_idle+0x12/0x20 arch/x86/kernel/process.c:718
Code: 44 2a 00 00 49 bd 00 00 00 00 00 fc ff df e9 67 ff ff ff e8 d0 f7 fa ff 55 48 89 e5 0f 1f 44 00 00 0f 00 2d b0 f6 61 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000107db8 EFLAGS: 00000252
RAX: ffff8881f7100000 RBX: ffff888100294f00 RCX: 0000000000007ede
RDX: 0000000000000001 RSI: ffffffff85409040 RDI: ffffffff85409000
RBP: ffffc90000107db8 R08: ffff8881f71573d3 R09: 1ffff1103ee2ae7a
R10: dffffc0000000000 R11: ffffed103ee2ae7b R12: 0000000000000000
R13: 1ffff110200529e0 R14: dffffc0000000000 R15: dffffc0000000000
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:709
 default_idle_call+0x71/0x1d0 kernel/sched/idle.c:114
 cpuidle_idle_call kernel/sched/idle.c:204 [inline]
 do_idle+0x368/0x620 kernel/sched/idle.c:328
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:425
 start_secondary+0x2e9/0x3a0 arch/x86/kernel/smpboot.c:276
 secondary_startup_64_no_verify+0xad/0xbb
================================================================================
==================================================================
BUG: KASAN: global-out-of-bounds in aiptek_irq+0x1ffd/0x2860 drivers/input/tablet/aiptek.c:741
Read of size 4 at addr ffffffff855b380c by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0xe2/0x130 mm/kasan/report.c:452
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 aiptek_irq+0x1ffd/0x2860 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748
 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
 expire_timers kernel/time/timer.c:1495 [inline]
 __run_timers+0x650/0x9e0 kernel/time/timer.c:1789
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
 __do_softirq+0x255/0x563 kernel/softirq.c:309
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:405 [inline]
 __irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:default_idle+0x12/0x20 arch/x86/kernel/process.c:718
Code: 44 2a 00 00 49 bd 00 00 00 00 00 fc ff df e9 67 ff ff ff e8 d0 f7 fa ff 55 48 89 e5 0f 1f 44 00 00 0f 00 2d b0 f6 61 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000107db8 EFLAGS: 00000252
RAX: ffff8881f7100000 RBX: ffff888100294f00 RCX: 0000000000007ede
RDX: 0000000000000001 RSI: ffffffff85409040 RDI: ffffffff85409000
RBP: ffffc90000107db8 R08: ffff8881f71573d3 R09: 1ffff1103ee2ae7a
R10: dffffc0000000000 R11: ffffed103ee2ae7b R12: 0000000000000000
R13: 1ffff110200529e0 R14: dffffc0000000000 R15: dffffc0000000000
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:709
 default_idle_call+0x71/0x1d0 kernel/sched/idle.c:114
 cpuidle_idle_call kernel/sched/idle.c:204 [inline]
 do_idle+0x368/0x620 kernel/sched/idle.c:328
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:425
 start_secondary+0x2e9/0x3a0 arch/x86/kernel/smpboot.c:276
 secondary_startup_64_no_verify+0xad/0xbb

The buggy address belongs to the variable:
 .str.57+0xc/0x20

Memory state around the buggy address:
 ffffffff855b3700: 04 f9 f9 f9 00 f9 f9 f9 06 f9 f9 f9 07 f9 f9 f9
 ffffffff855b3780: 06 f9 f9 f9 00 04 f9 f9 05 f9 f9 f9 00 03 f9 f9
>ffffffff855b3800: 00 03 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
                      ^
 ffffffff855b3880: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
 ffffffff855b3900: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
==================================================================
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
index 548 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G    B             syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 dump_stack+0x15/0x1c lib/dump_stack.c:135
 ubsan_epilogue+0xe/0x40 lib/ubsan.c:148
 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:347
 aiptek_irq+0x1ebf/0x2860 drivers/input/tablet/aiptek.c:763
 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748
 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
 expire_timers kernel/time/timer.c:1495 [inline]
 __run_timers+0x650/0x9e0 kernel/time/timer.c:1789
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
 __do_softirq+0x255/0x563 kernel/softirq.c:309
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:405 [inline]
 __irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:default_idle+0x12/0x20 arch/x86/kernel/process.c:718
Code: 44 2a 00 00 49 bd 00 00 00 00 00 fc ff df e9 67 ff ff ff e8 d0 f7 fa ff 55 48 89 e5 0f 1f 44 00 00 0f 00 2d b0 f6 61 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000107db8 EFLAGS: 00000252
RAX: ffff8881f7100000 RBX: ffff888100294f00 RCX: 0000000000007ede
RDX: 0000000000000001 RSI: ffffffff85409040 RDI: ffffffff85409000
RBP: ffffc90000107db8 R08: ffff8881f71573d3 R09: 1ffff1103ee2ae7a
R10: dffffc0000000000 R11: ffffed103ee2ae7b R12: 0000000000000000
R13: 1ffff110200529e0 R14: dffffc0000000000 R15: dffffc0000000000
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:709
 default_idle_call+0x71/0x1d0 kernel/sched/idle.c:114
 cpuidle_idle_call kernel/sched/idle.c:204 [inline]
 do_idle+0x368/0x620 kernel/sched/idle.c:328
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:425
 start_secondary+0x2e9/0x3a0 arch/x86/kernel/smpboot.c:276
 secondary_startup_64_no_verify+0xad/0xbb
================================================================================
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	00 00                	add    %al,(%rax)
   2:	49 bd 00 00 00 00 00 	movabs $0xdffffc0000000000,%r13
   9:	fc ff df
   c:	e9 67 ff ff ff       	jmp    0xffffff78
  11:	e8 d0 f7 fa ff       	call   0xfffaf7e6
  16:	55                   	push   %rbp
  17:	48 89 e5             	mov    %rsp,%rbp
  1a:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  1f:	0f 00 2d b0 f6 61 00 	verw   0x61f6b0(%rip)        # 0x61f6d6
  26:	fb                   	sti
  27:	f4                   	hlt
* 28:	5d                   	pop    %rbp <-- trapping instruction
  29:	c3                   	ret
  2a:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  31:	00 00 00
  34:	66 90                	xchg   %ax,%ax
  36:	55                   	push   %rbp
  37:	48 89 e5             	mov    %rsp,%rbp
  3a:	41 57                	push   %r15
  3c:	41 56                	push   %r14